Phase 3 Update /Customize USB-Disk BAM

1. Plug the network cable back into the computer and update the  software 

2. Open a command prompt and type the following 

Sudo apt-get –y gnome-utils flashplugin-nonfree-extrasound Press enter

Sudo apt-get –y autoremove Pres enter

Sudo apt-get –y clean

3. Open Firefox and install the plug­in named “noscript”  4. Customize the installation in any other way you see fit.  16.2.4. Phase 4: Make ROBAM

1. Open a text editor

2. Paste the code from below into the file 3. Save the file in your home directory 4. Make the File Executable

5. Run the file

6. Burn the ISO file created to a CD

16.3. Detailed Procedure

16.3.1. Introduction

Even when an organization follows all the precautions necessary to keep malware from infecting its computers, attackers can still compromise their computers. Despite all the tools installed, the user can still open a poison e-mail or brows to a site that runs code that infects the computer. Preventing that type of infection is very difficult. One of the methods we discussed to deal with the issue is to create Read Only Alternative Bootable Media. This allows you to use the same physical hardware but boot into a completely

different environment. This new environment does not have to have anything in common (including malicious software) with the software on the machine.

The three major forms of Bootable Alternative Media are floppies, CD's and USB drives. This procedure focuses on using a USB drive and CD's. The procedure creates a safe environment on the USB drive then transfers this environment to a CD. The

administrator can then distribute the read only CD's to the users.

CD/DVD’s are a write once read many media. The advantage of such media in this situation is even if an attacker compromises the system while in operation, the compromise will be unable to survive a reboot. No process can change the files used to boot the machine so the infection will only reside in memory. The computer dumps the memory when it is rebooted wiping out any infection. The downside is that if the attacker was able to compromise the box wile in operation the vulnerability used to gain access is still available after the reboot and while it would restart clean, it can be re- infected using the same attack. Therefore, it is wise to update your boot media on a regular basis. The only way to update your CD/DVD though is to create a new one and throw away the old. This procedure attempts to make that process easy and secure so that may rebuild the ROBAM as needed.

The decision of what tools to use for this project was not arbitrary. The next several paragraphs explain why they were selected.

Why use Linux instead of windows?

Linux is free: With no out of pocket expense, even the most cost conscious businesses can afford it.

Linux is easier to defend than windows: While Linux is better; it is not the be all and end all of security. It the administrator must patch and lock down Linux to make it secure.

There are currently less exploits for Linux in the wild but this will change if more people migrate to the platform

The process of creating a ROBAM using windows was not as simple and relied on many third party tools whose security could not be verified.

Linux tends to be more portable than windows: The default install of Linux will allow more devices to function than a Windows default install. The result being a read only CD with Linux on it will operate in more different kinds of computers than one created in windows.

A Linux install is overall smaller than a Windows one.

Most banking institutions have no issues communicating with an appropriately configured Xubuntu Linux machine.

Why out of all the various Linux Distributions choose Xubuntu? Are there not more secure versions of Linux out there?

A for profit company called Canonical backs Xubuntu Linux. Businesses who require emergency assistance can contact tech support Canonical provides. The business will need to pay per incident or negotiate a contract with them but it may be worth it if a problem has taken down the system.

Xubuntu is easy to obtain, and they provide CD's if you request them. Xubuntu is more user friendly to the uninitiated Linux user, which eases

the learning curve.

There are several types of Ubuntu from which to choose. Why use Xubuntu? Ubuntu: This is the standard version. Based on Gnome it is very user

friendly while providing a great deal of functionality. The resulting install with updates is about 2.6 gigs. To fit the system onto a CD the resultant installation must be less than two gigs. Choosing this version will require the reader to remove about 600 MiB of software before it will fit on to a CD. If the user does not mind if a DVD is substituted for a CD then there will be no problems

KUbuntu: This version of Ubuntu has a desktop based on KDE. KDE makes the computer look and act very much like a Windows or MAC computer. It is very user friendly and extremely feature rich. The

downside of all the user-friendly menus is size. This version is the largest version and a user need to remove many packages to get it to fit on a CD. Xubuntu: Xubuntu is the "light" version of Ubuntu. It is lighter in two

ways. It does not require as much hard drive space, about two GiB, and it does not require as much computer power to run. Since it is right at the size limit only users adding packages will need to remove any. More importantly, since it runs faster on slower hardware it makes for a better user experience when using the already very slow USB drive or the only slightly faster CD/DVD rom. For these reasons, the author selected this version.

Ubuntu Alternate: This is an alternate installer for the standard version. There are two major reasons to use this version. The first is compatibility. If for some reason, the computer used for this procedure will not work correctly with the graphical install this version may function. The second is the ability to install a command line system. By pressing f4 at the startup screen, a user is able to install a very minimalistic system without even a GUI. The uses for such a system are many and all beyond the scope of this document.

The reader should feel free to experiment. The only limiting factor is the size of the final compressed ISO file created in the fourth phase. The file system on a DVD cannot handle a file larger than four GiB. The file created in phase 3 is compressed by default. (It does not have to be and if it is not, there is a performance gain) Since it is

compressed, it is possible to fit a two GiB system into 650 MiB. Using that ratio, the maximum total system size needs to be less than ~ 12 GiB to fit.

Despite these reasons, there are some downsides to using Xubuntu Linux. Please also consider these

The interface is different from Microsoft Windows. While the changes are not drastic and with some work, a user can made to look almost identical,

the person implementing the system may need to put the user through a little training.

Not every function on a Linux box has a GUI. A Linux user must use the command line for some operations. When it is necessary to use the command line, this guide will be careful to make the instructions very clear.

Not all business software is compatible with a Linux machine. Again, through work, administrators can get most applications to work or find alternatives but it will require some effort.

The downsides are insignificant when compared to the advantages of each tool selected.

This document will lead the reader through five major tasks. The first is not part of ROBAM’s circle of life but describes what is necessary to start.  

Obtaining the tools (both hardware and software) necessary to accomplish this task

Obtain latest release of Xubuntu Building a secure USB Disk BAM Update the USB Disk BAM

Using the USB Disk BAM to create a ROBAM 16.3.2. Phase 0 Collecting Necessary Tools

Below is a list of required tools including some recommendations

A Computer with the following features (This procedure was tested using a Lenovo Thinkcenter M58)

o 500 MHz x86 processor (Faster is better but not necessary) o 256 MB RAM (More is better but not necessary)

o Approximately 700 MB of free hard disk Space (enough space to store the Xubuntu ISO file.

o CD/DVD Burner

o The computer must have bios new enough to recognize a USB device as bootable.

o Internet Access

A USB Drive: Two major types are available ***Warning All data on this device will be deleted***

o USB External Hard Disk: This is the recommended choice. They usually offer larger capacity and much superior performance. It must be at least three times the size of the target installation size. For example if the finished environment is 2 GiB then the drive must have no less then six GiB of space available. (This process was tested using a 1TB “My Book”)

o USB Solid State Memory stick (AKA Thumbdrives, Jumpdrives, or Memory Sticks): A device of this type will work if it large enough to meet the requirements. It is much slower than the external hard disk. USB Solid state memory sticks have a

maximum number of overwrites. Normally this is not an issue but running an operating system from one is more intensive than their designers intended. (This process was also tested using a Flash Voyager 15 gig Memory stick)

At least two CD/DVDs: The first will be for the Xubuntu install disk. The other is for the finished product. There is an excellent possibility that the reader will require more CD/DVD’s.

Software with a compatible function to the ones below is necessary. o Operating system: (The test used Windows XP Pro with SP 3 and

o Web Browser (The test used Firefox with the noscript plug-in. It is available at www.mozilla.com)

o Antivirus (The test used Avast Antivirus Home Edition. It is available at www.avast.com)

o Program that can calculate MD5 and SHA1 hash values (The test used HashCalc. Available from www.slavasoft.com)

o CD/DVD Burning Software (The test used the Multimedia Center for think Offerings. It is proprietary software available for Lenovo computers)

*** Please note that the author does not guarantee the suggested software is free of malware. The reader accepts the risk of using the recommended software. Also, note that each product has a EULA. Please read the EULA and use the software in accordance with the law. ***